This looks like, for the 2nd matching term, run the spam function on it. The second term is substituted inside the spam() function, then executed. Maybe we can inject a command here.

I’ve recently done a couple of XSS tutorials/games, which have given me a fair bit of practice at command injection (in Javascript, though), and felt I was getting quite natural and good at it. However, this PHP one ended up being just a big case of trial and error.

I started trying to execute phpinfo() – it nearly always works and doesn’t need any parameters passing to it.

Charles

Anon

I know this is a long time since you’ve posted this, but I just found it and thought I’d share my 2 cents on why this is working since you stated above you weren’t sure why it worked.

The file is read and stored as a string, which is evaluated on line 15:
$contents = preg_replace(“/([email (.*)])/e”, “spam(“\2″)”, $contents);

And $contents having the value:
“email {${exec(getflag)}}”

exec(getflag) is being placed inside of a function, which is being stored as an unnamed variable using the first set of braces ${ }. The outside set of braces is how you stick variables inside of strings in PHP. In this case the variable is actually a function with only 1 line, a call to exec(). Any time that string is evaluated, PHP needs to resolve the value between the outside braces to construct the string, which cascades into the call to exec().

I'm a security researcher and reverse engineer. By visiting this site, you must realise that any or all files on this site may be jam packed full of the finest exploits, tricks and other gubbins. You might also get geo-located and port-scanned for fun and profit.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.AcceptRead More
If I really want to track you, by tricking you into visiting this site, then it's going to be a lot more subtle than a browser cookie.